Closed btbonval closed 10 years ago
Appears not to even call school_list
, the 403 is coming before that.
Typing /school/list/
into the URL bar does trigger the the server's pdb.set_trace()
I dropped into school_list
. However, the autocomplete AJAX does not trigger the same breakpoint, even though it should be calling the same school_list
.
URL /school/list/
:
> /home/vagrant/karmaworld/karmaworld/apps/courses/views.py(109)school_list()
-> if not (request.method == 'POST' and request.is_ajax()
(Pdb) request.method
'GET'
(Pdb) c
[06/Feb/2014 23:22:27] "GET /school/list/ HTTP/1.0" 400 18
AJAX from Add Course:
[06/Feb/2014 23:22:31] "GET / HTTP/1.0" 200 3661
[06/Feb/2014 23:22:37] "POST /school/list/ HTTP/1.0" 403 544
"Django does indeed receive the HTTP POST as I do hit _HandleRequest(), however it returns a 403 Forbidden, instead of hitting my handler function. I experimented and sent a HTTP GET from my client application and in this case I am able to hit my handler function." https://groups.google.com/forum/#!topic/django-users/Z7rKIzyu7VM
People are talking about CSRF problems.
I noted another CSRF problem in HTTPS in this comment (https://github.com/FinalsClub/karmaworld/issues/320#issuecomment-34402578) which was going to lead to a ticket.
I'm going to take a stab in the dark and assume the root of this problem is CSRF on HTTPS."Django does indeed receive the HTTP POST as I do hit _HandleRequest(), however it returns a 403 Forbidden, instead of hitting my handler function. I experimented and sent a HTTP GET from my client application and in this case I am able to hit my handler function." https://groups.google.com/forum/#!topic/django-users/Z7rKIzyu7VM
People are talking about CSRF problems.
I noted another CSRF problem in HTTPS in this comment (https://github.com/FinalsClub/karmaworld/issues/320#issuecomment-34402578) which was going to lead to a ticket.
I'm going to take a stab in the dark and assume the root of this problem is CSRF on HTTPS.
Just to test: 403 both logged in and logged out while browsing with HTTPS. I thought maybe it was due to the SSLRedirect adjustments I made, or Django is somewhere requiring me to be logged in as per the above forum thread. Neither appears to be the source of the problem.
Problem solved in #324
This is not a problem on Beta. I'm not sure if this problem is a newly introduced bug (newer than code running on Beta) or a bug specific to my environment.
I can add a course with HTTP and the school field will autocomplete. When I switch to HTTPS, I get: